Understand-Static-Data-Acquisition

Understand Static Data Acquisition

Leave a Comment / CHFI, Knowledge Base / By

Understand Static Data Acquisition in this refer to the non-volatile data, which does not change its state after the system shut down. Static data acquisition refers to the process of extracting and gathering the unaltered data from storage media. Sources of non-volatile data include hard drives, DVD-ROMs, USB drives, flash cards, smart-phones, external hard drives, etc. This type of data exists in the form of emails, word processing documents, web activity, spreadsheets, slack space, swap files, unallocated drive space, and various deleted files. Investigators can repeat the static acquisitions on well-preserved disk evidence.

Static data recovered from a hard drive includes:

  • Temporary (temp) files
  • System registries
  • Event/system logs
  • Boot sectors
  • Web browser cache
  • Cookies
  • Hidden files

Related Product : Computer Hacking Forensic Investigator | CHFI

Rules of Thumb

Rule of thumb refers to the best practice of a process that helps to ensure a favorable outcome on application. In the case of a digital forensics investigation, “The better the quality of evidence, the better the analysis and likelihood of solving the crime.”

Never perform a forensic investigation or any other process on the original evidence or source of evidence as it may alter the data and leave the evidence ineligible in the court of law. Instead, create a duplicate bit-stream image of a suspicious drive/file to view the static data and work on it. This practice will not only preserve the original evidence, but also provide a chance to recreate a duplicate if something goes wrong.

Always produce two copies of the original media before starting the investigation process for the following purposes:

  • One copy is the working copy, for analysis
  • One copy is the library/control copy stored for disclosure purposes or in the event that the working copy gets corrupted

If the investigators need to perform a drive-to-drive imaging, use blank media to copy to shrink wrapped new drives. After duplicating the original ‘media, verify the integrity of copies to the original using hash values such as MD5.

Why Create a Duplicate Image?

Digital data are more susceptible to loss, damage, and corruption unless the investigators preserve and handle it properly. Prior to examination, the investigators should forensically image or duplicate the electronic device data and keep two or more copies. Forensic investigators should use only the image data for their investigation.

Bit-Stream Image Vs. Backups

1. Bit-Stream Image

Bit-stream imaging, also known as mirror images and evidence grade backups, is the process of creating a duplicate of a hard disk through bit-by-bit copying of its data onto another storage media. The process copies all the sectors of a target drive, including the hidden and residual data, such as slack space, unused space, residue, swap files, deleted files, etc. Bit-stream programs depend on CRC computations in the validation process.This type of imaging requires more space and takes more time for completion.

2. Backups

Backup refers to the process of copying and archiving of system data, which can help to restore the system to its previous state in case of a breakdown, security incident or data loss. Backups do not capture the same or complete disk data; instead, they include OS data such as the live file system structure. This type of data duplication does not contain slack space, deleted files, residue, etc. This process often modifies the timestamps and other features, thus contaminating the timeline.

Also Read : Live Data Acquisition

Issues with Data Duplication 

Data Duplication is the process of creating a copy of data that is a replica of the original source. The various issues associated with data duplication are:

  • Data duplication process can sometimes overwrite the data fragments and damage its integrity
  • The process can alter the data stored in the Windows swap file, which temporarily stores the information a RAM does not use
  • During the data duplication, the device used to copy can also write the data to the original evidence source and destroy its authenticity, leaving it unacceptable in the court of law
  • In case of contamination of the original data the critical evidence is lost, which causes problems in the investigation process There are chances of tampering with the duplicate data as well.

Questions related to this topic

  1. What are the four steps in collecting digital evidence?
  2. What is live acquisition?
  3. How do you handle evidence?
  4. What type of acquisition is typically done on a computer seized during a police raid?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment